Description

A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Remediation

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016

Related Vulnerabilities

CVE-2013-2133 Vulnerability in maven package org.wildfly:wildfly-ejb3

CVE-2017-15717 Vulnerability in maven package org.apache.sling:org.apache.sling.xss.compat

CVE-2020-7961 Vulnerability in maven package com.liferay.portal:portal-impl

CVE-2023-25164 Vulnerability in npm package @tinacms/cli

CVE-2020-17518 Vulnerability in maven package org.apache.flink:flink-runtime_2.12

Severity

Critical

Classification

CWE-78 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Tags

Vendor Advisory